Apr 27, 2023 3 min read AppSec

Encryption is Overrated

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance.

In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber comment struck a nerve and I chose to use the last 17 seconds of our encounter to set the world straight. He said something inoffensive and meant to just keep the conversation going, but it was in the midst of one of the larger data breach stories and so it came out as something like "wow how bout yet another massive data breach? Whew... Yeah I hear the answer is all about encryption yeah?"

He was probably expecting something like "yes absolutely.. we are on it" and didn't mean to pick any sub-culture nerd-religious war, but I just couldn't let the encryption mania come to roost that close to home. I'm not sure what I hiccuped in that brief window of time between floors 2 and 6 but it was something like "Well.. actually, most stolen data probably is encrypted somewhere, but the bad guys don't realize it since it's dutifully decrypted for them by all the infrastructure erected to serve it up to legitimate customers". Maybe I was that eloquent. Probably not. But I got something like "oh I see... right..."

I feel like I fell on the right side of the 90/10 split between "let's fire this guy the minute we have a window" and "wow he brought some legitimate insight here," as I managed to keep my job for many years afterward.

Whether or not I managed to explain my position in that brief interval, I believed in it and still do. We've let ourselves be fed a problem instead of a solution, and as usual that keeps burning us through false senses of security and collateral damage.

It's not that I don't see a place for cryptography and encryption. In fact, I bank on it every day when it matters. The problem is that it's advertised as a solution where it absolutely does not fit. And as contrarian as it is to say, data protection is probably the most useless application of cryptography today.

Stepping back, cryptography at its roots has two main use cases: proving you have something without disclosing it or making something indecipherable while passing through enemy hands. The first area is all about public/private key cryptography and signing objects to prove they came from your pen. This beautiful construct serves us well in code signing and cryptocurrency transaction signing every day. It works well because the private keys or "secrets" involved can be sequestered in secret enclaves with computational abilities and perform relatively infrequent signing operations with protected key material. This area is where hardware security modules or "HSMs" thrive. Private keys are generated in the protected secret containers where they live alongside relatively static and simple algorithms that employ them. Transactions may be prepared elsewhere and then submitted to HSMs where they are hopefully adjudicated and if found valid get a beautiful stamp of authenticity that can be verified from anywhere. The second application - sneaking through enemy lines - is more dangerous but absolutely essential. The core use case I think of here is broadcasting RF transmissions to friendly forces in a battlefield theater with enemy listeners. It's essential to get encryption right here, usually via the ultimate exchange of symmetric keys to protect messages with a finite shelf-life. It's not expected that this data will be secret forever, but it should stall the enemy long enough to get that artillery positioned and activated before it can be destroyed.

You don't see encryption, however, in Pentagon file cabinets. Once you pass all the ACCESS CONTROLS and are holding the manila folder, the text on the paper is legible. Nobody thought they should scramble it. But if they had, you can bet it would not be long before there were some "secret descrambler glasses" laying all over the place in classified areas.

And that's basically what we are doing with encryption at rest, transparent data encryption (did anyone even THINK about what "transparent" means in TDE?), database encryption with stored procedures to decrypt it, and SO MUCH MORE. It's 100% theater. Laypeople think that encryption means SECURITY. They want their data protected, not encrypted. But it is far too easy to acquiesce and tick the encryption boxes, and the industry surrounding it is perversely incentivized to sell encryption even when it is irrelevant.

Let's be more intentional and deliberate about how and when we deploy encryption as a control. Let's model threats and articulate specific kill chain scenarios encryption will mitigate, and weigh the cost (including the cost of potentially blinding security tools) against the benefit.